Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Getting Your Hands Dirty In the Fight on Malware, Part 2

Analyzing Outbound and Inbound Traffic, and Network Segmentation Can Help Protect Your Network, Even After It Has Been Compromised.

In my previous column I took a long look at modern malware with a focus on how to prevent malware from getting into your network in the first place. In case you missed it, you can read it here.

Analyzing Outbound and Inbound Traffic, and Network Segmentation Can Help Protect Your Network, Even After It Has Been Compromised.

In my previous column I took a long look at modern malware with a focus on how to prevent malware from getting into your network in the first place. In case you missed it, you can read it here.

While we all probably agree that prevention is the best medicine, it’s also foolhardy to believe that prevention alone will be enough to protect us. Whether coming from a non-network source such as a USB drive or simply from a clever attacker who finds a weakness, we have to assume that eventually our networks will be compromised if they haven’t already.

Combating MalwareThat statement alone is enough to make many security professionals (and their management) a bit prickly, which is certainly understandable. We commit precious time, money and professional effort to defend against threats, and simply presuming that our defenses have been compromised can feel like all that work has been for naught. This is not the case at all.

Assuming that we aren’t compromised just plays into the attackers hands. What we need is to extend the security we have to bring protection to the soft parts of our network that attackers are targeting. Malware and targeted attacks rely on the assumption that if they can get inside the perimeter, that they can build a foothold and dig deeper with less worry of detection. But just because someone is able to break into a bank doesn’t mean that we should just let them walk out with the money. So in that spirit, let’s pick up where we left off and take a look at some of the practical tools and techniques that we can use to identify and stop live malware infections in our networks.

Looking Inward

Traditional enterprise networks have often been described has “hard, crunchy shells with soft, gooey centers”. This refers to the tendency for the external perimeter to be heavily fortified from outside threats, while internal users, traffic and assets tend to be trusted. Attackers have used malware to crack this model and shift the security battle to the inside of the network where security measures are sparse.

While this has been a recognized problem for quite some time, we are finally beginning to see new proposed security architectures that address the problem. Analysts such as Forrester’s John Kindervag have begun to push the notion of the “Zero-Trust Network” (video) where all traffic, including internal traffic is passed through a “segmentation gateway” for analysis. And although many of us may not be able to adopt such a consistently segmented model overnight, there are practical steps that most any enterprise can take today.

The first step is to expand our best threat and application analysis to include outbound traffic as well as inbound traffic. The ongoing command and control traffic is the life-blood of modern malware, and the infection is only the first step in an intrusion that will likely cross our perimeter many times. Given that the malware traffic is flowing in both directions, our defenses should certainly be looking in both directions as well.

Segmenting NetworksSecondly, we should begin segmenting the internal network. A flat, un-segmented network is the hacker’s delight – if you own one machine, you can own the entire network. The network and assets can often be segmented on the basis of application, user and content types. For example, a policy could dictate that only finance managers are allowed to access the database that houses financial data and they can only allow SQL to do so, while all other traffic is denied by default. This not only segments the network based on need, but logs of blocked connections can indicate when someone is trying to get into sensitive assets. And while this is an admittedly simple example, the general process of understanding who needs access to what information, and what application they should use to access it, can be applied to virtually any environment.

Another option is to begin segmenting assets that attackers commonly target for escalation such as domain controllers, email servers or any asset where user identity is managed. These are common targets once an attacker is inside the network because it can allow the attacker to escalate from a low-profile user identity, with relative few network rights, to a far more powerful user role such as a network admin. Unlike our earlier example, the goal here is not to deny access (people need their email), but rather to establish highly granular logging and reporting to identify an intruder that may be skulking around. For example, ping sweeps, or an unusual spike in failed login attempts, or newly created admin accounts should be cause for alarm.

The end goal is to make our networks less flat with better internal controls so that we can get rid of that soft gooey center.

In my next piece, I will cover off on what to look for, now that we are looking in the right places, and how we can often detect telltale signs of malware infections.

Related Reading: Getting Your Hands Dirty in the Fight on Modern Malware, Part 1

Related Reading: An Introduction to Modern Malware 

Related Reading: Using Network Segmentation to Protect the Modern Enterprise Network

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...